From fcb95e270c027911aaf329d242514025ef6b3dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 9 Nov 2023 14:39:02 -0300 Subject: [PATCH] fix: validate resource kind. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to allow only pod resource in the template policy, it's necessary to check the resource kind before trying to parse. This is necessary because the parse function can be able to parse it even if the resource is not pod. This is necessary to improve the docs about writing policy in rust. Signed-off-by: José Guilherme Vanz --- src/lib.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib.rs b/src/lib.rs index eff7c00..247925a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -4,6 +4,7 @@ use guest::prelude::*; use kubewarden_policy_sdk::wapc_guest as guest; use k8s_openapi::api::core::v1 as apicore; +use k8s_openapi::Resource; extern crate kubewarden_policy_sdk as kubewarden; use kubewarden::{logging, protocol_version_guest, request::ValidationRequest, validate_settings}; @@ -31,7 +32,10 @@ fn validate(payload: &[u8]) -> CallResult { let validation_request: ValidationRequest = ValidationRequest::new(payload)?; info!(LOG_DRAIN, "starting validation"); - + if validation_request.request.kind.kind != apicore::Pod::KIND { + warn!(LOG_DRAIN, "Policy validates Pods only. Accepting resource"; "kind" => &validation_request.request.kind.kind); + return kubewarden::accept_request(); + } // TODO: you can unmarshal any Kubernetes API type you are interested in match serde_json::from_value::(validation_request.request.object) { Ok(pod) => {